PD-DM: An efficient locality-preserving block device mapper with plausible deniability

Chen, Chen; Chakraborti, Anrin; Sion, Radu

doi:10.2478/popets-2019-0009

Cited by 10 publications

(20 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Plausible deniability ultimately aims to enable users to deny the very existence of sensitive information on storage media when confronted by coercive adversaries e.g., border officers in oppressive regimes. This is essential in the fight against increasing censorship and intrusion into personal privacy [7,20] Unfortunately, it is impractical to deploy existing ORAM mechanisms in such systems due to prohibitively-high access latencies deriving from high asymptotic overheads for accessing items and ORAMinherent randomized access patterns. Also, a full ORAM protocol protecting access patterns of all operations in real time may be unnecessary for plausible-deniability.…”

Section: Introductionmentioning

confidence: 99%

“…For example, HIVE is almost four orders of magnitude slower than HDDs and two orders of magnitude slower than SSDs. The main contributor to this slowdown is the random placement of data meant to break linkability between separate writes [7,24], an important property ensuring that an adversary cannot link a set of writes to each other logically, given multiple snapshots of the media. Random data placement results in dramatically increased disk-seek related latencies.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

SqORAM: Read-Optimized Sequential Write-Only Oblivious RAM

Chakraborti

Sion

2020

Proceedings on Privacy Enhancing Technologies

Self Cite

View full text Add to dashboard Cite

Oblivious RAMs (ORAMs) allow a client to access data from an untrusted storage device without revealing the access patterns. Typically, the ORAM adversary can observe both read and write accesses. Write-only ORAMs target a more practical, multi-snapshot adversary only monitoring client writes – typical for plausible deniability and censorship-resilient systems. This allows write-only ORAMs to achieve significantly-better asymptotic performance. However, these apparent gains do not materialize in real deployments primarily due to the random data placement strategies used to break correlations between logical and physical names-paces, a required property for write access privacy. Random access performs poorly on both rotational disks and SSDs (often increasing wear significantly, and interfering with wear-leveling mechanisms).In this work, we introduce SqORAM, a new locality-preserving write-only ORAM that preserves write access privacy without requiring random data access. Data blocks close to each other in the logical domain land in close proximity on the physical media. Importantly, SqORAM maintains this data locality property over time, significantly increasing read throughput.A full Linux kernel-level implementation of SqORAM is 100x faster than non locality-preserving solutions for standard workloads and is 60-100% faster than the state-of-the-art for typical file system workloads.

show abstract

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

SqORAM: Read-Optimized Sequential Write-Only Oblivious RAM

Chakraborti

Sion

2020

Proceedings on Privacy Enhancing Technologies

Self Cite

View full text Add to dashboard Cite

show abstract

“…In practice, protecting against such powerful adversaries is essential due to increasing instances of intrusion by unfriendly powerful nation state adversaries [15,21]. This is sometimes a matter of life and death [23] as documented in numerous cases where information had to be transferred through checkpoints manned by hostile adversaries.…”

mentioning

confidence: 99%

“…To protect against multi-snapshot adversaries, several recent systems [12,14,15,23] have proposed mechanisms that plausibly "explain" all device state changes via public data operations, in effect protecting access patterns to hidden data.…”

mentioning

confidence: 99%

“…Yet, all existing PDS feature a critical shortcoming that renders them insecure in practice and may subject their users to "rubberhose" attacks: the system is unable to hide the fact that a special storage mechanism is being used which potentially allows the user to hide data. In particular, the presence of system-specific metadata e.g, special indexing structures stored on disk to track hidden information [12,14,15] or other design artifacts such as non-standard on-disk data layout [23], ultimately reveal to the adversary that the user is using a plausible deniable storage system. However, the use of a PDS can in itself raise suspicion -since why would one use such a storage system especially if it is slower than existing standard systems -unless there is something to be hidden.…”

mentioning

confidence: 99%

See 1 more Smart Citation

INFUSE: Invisible plausibly-deniable file system for NAND flash

Chen

Chakraborti

Sion

2020

Proceedings on Privacy Enhancing Technologies

Self Cite

View full text Add to dashboard Cite

Protecting sensitive data stored on local storage devices e.g., laptops, tablets etc. is essential for privacy. When adversaries are powerful enough to coerce users to reveal encryption keys/passwords, encryption alone becomes insufficient for data protection. Additional mechanisms are required to hide the very presence of sensitive data.Plausibly deniable storage systems (PDS) are designed to defend against such powerful adversaries. Plausible deniability allows a user to deny the existence of certain stored data even when an adversary has access to the storage medium. However, existing plausible deniability solutions leave users at the mercy of adversaries suspicious of their very use. Indeed, it may be difficult to justify the use of a plausible deniability system while claiming that no sensitive data is being hidden.This work introduces INFUSE, a plausibly-deniable file system that hides not only contents but also the evidence that a particular system is being used to hide data. INFUSE is “invisible” (identical layout with standard file system), provides redundancy, handles overwrites, survives data loss, and is secure in the presence of multi-snapshot adversaries. INFUSE is efficient. Public data operations are orders of magnitude faster than existing multi-snapshot resilient PD systems, and only 15% slower than a standard non-PD baseline, and hidden data operations perform comparably to existing systems.

show abstract

False-Bottom Encryption: Deniable Encryption From Secret Sharing

2023

View full text Add to dashboard Cite

We show how to implement a deniable encryption method from secret sharing. Unlike the related concept of honey encryption, which employs a preprocessing step in symmetric encryption to re-shape the distribution of a plaintext towards making the real plaintext indistinguishable from a ciphertext for a fake message, we can avoid both, computational intractability assumptions and preprocessing of the data. This accomplishes deniability against an attacker that can force decryptions, and it can brute-force break a ciphertext with sufficient computational power. Following the concept of plausible deniability, we herein have different decryption keys to open up distinct plaintexts from within the same ciphertext. For instance, a plaintext revealed from a ciphertext with a key which was shared by a victim under duress, will convince the attacker that it is real, while the actual secret remains unnoticed. False Bottom Encryption constructs a symmetric scheme (in the sense of using the same key to encrypt and decrypt) that shares the properties of both honey encryption and deniable encryption. We specifically formalize and differentiate ''deniable'' from ''plausibly deniable'' as a security feature, showing how plausible deniability falls back to (only) deniability, depending on the plaintext distribution. Our scheme is simple, lightweight to implement and efficient in terms of encryption and decryption, and is based on secret sharing. As such, we do not rely on computational intractability. We corroborate the construction by giving numeric examples and providing implementations of the method as a Jupyter notebook supplementary to this work.

show abstract

PD-DM: An efficient locality-preserving block device mapper with plausible deniability

Cited by 10 publications

References 16 publications

SqORAM: Read-Optimized Sequential Write-Only Oblivious RAM

SqORAM: Read-Optimized Sequential Write-Only Oblivious RAM

INFUSE: Invisible plausibly-deniable file system for NAND flash

False-Bottom Encryption: Deniable Encryption From Secret Sharing

Contact Info

Product

Resources

About